2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 02:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
Size

460KB
MD5

f35d8958edaab270d6c621bb96e395fc
SHA1

194f85bfcfae0f3c0ce55af40266c3fbed0ac245
SHA256

2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92
SHA512

98ece933074eace66440cb9c8f554de417a6b71470804bf9c1a328c53b2b3fa239bd13585ccf52951db331f98410f4da115539166cab59cc40afffe537587fde
SSDEEP

12288:M9podLzMGtJXh2W0skbWd/2fvfwqk0Z4XE75VmiGU1:CpodLQgXhxYbVfvfwo9d

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 2960	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	99
PID 2960 set thread context of 1292	2960	jsc.exe	12
PID 1584 set thread context of 1292	1584	cmd.exe	12

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
2960	jsc.exe
2960	jsc.exe
2960	jsc.exe
2960	jsc.exe
2960	jsc.exe
2960	jsc.exe
2960	jsc.exe
2960	jsc.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2960	jsc.exe
2960	jsc.exe
2960	jsc.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe
1584	cmd.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
Token: SeDebugPrivilege	2960	jsc.exe
Token: SeDebugPrivilege	1584	cmd.exe
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1652	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	84
PID 620 wrote to memory of 1652	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	84
PID 620 wrote to memory of 2044	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	85
PID 620 wrote to memory of 2044	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	85
PID 620 wrote to memory of 1120	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	86
PID 620 wrote to memory of 1120	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	86
PID 620 wrote to memory of 1108	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	87
PID 620 wrote to memory of 1108	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	87
PID 620 wrote to memory of 4772	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	88
PID 620 wrote to memory of 4772	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	88
PID 620 wrote to memory of 1800	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	89
PID 620 wrote to memory of 1800	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	89
PID 620 wrote to memory of 4476	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	90
PID 620 wrote to memory of 4476	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	90
PID 620 wrote to memory of 3792	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	91
PID 620 wrote to memory of 3792	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	91
PID 620 wrote to memory of 3180	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	92
PID 620 wrote to memory of 3180	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	92
PID 620 wrote to memory of 3788	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	93
PID 620 wrote to memory of 3788	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	93
PID 620 wrote to memory of 584	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	94
PID 620 wrote to memory of 584	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	94
PID 620 wrote to memory of 1580	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	95
PID 620 wrote to memory of 1580	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	95
PID 620 wrote to memory of 1880	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	96
PID 620 wrote to memory of 1880	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	96
PID 620 wrote to memory of 1900	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	97
PID 620 wrote to memory of 1900	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	97
PID 620 wrote to memory of 1812	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	98
PID 620 wrote to memory of 1812	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	98
PID 620 wrote to memory of 2960	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	99
PID 620 wrote to memory of 2960	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	99
PID 620 wrote to memory of 2960	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	99
PID 620 wrote to memory of 2960	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	99
PID 620 wrote to memory of 2960	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	99
PID 620 wrote to memory of 2960	620	2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe	99
PID 1292 wrote to memory of 1584	1292	Explorer.EXE	100
PID 1292 wrote to memory of 1584	1292	Explorer.EXE	100
PID 1292 wrote to memory of 1584	1292	Explorer.EXE	100
PID 1584 wrote to memory of 3972	1584	cmd.exe	107
PID 1584 wrote to memory of 3972	1584	cmd.exe	107
PID 1584 wrote to memory of 3972	1584	cmd.exe	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe
  "C:\Users\Admin\AppData\Local\Temp\2898cb7724546579022e85a86b222cc4caf739ea4b325a50f24512e4145f2f92.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:1652
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:2044
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:1120
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1108
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4772
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:1800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4476
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:3792
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
    3⤵
    PID:3180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
    3⤵
    PID:3788
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    PID:584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
    3⤵
    PID:1580
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:1880
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:1900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1812
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-133-0x0000016327380000-0x00000163273F8000-memory.dmp

Filesize
480KB

Download
memory/620-134-0x0000016327840000-0x0000016327850000-memory.dmp

Filesize
64KB

Download
memory/1292-183-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-184-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-221-0x0000000007BA0000-0x0000000007BA7000-memory.dmp

Filesize
28KB

Download
memory/1292-220-0x00000000036F0000-0x00000000036F2000-memory.dmp

Filesize
8KB

Download
memory/1292-214-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-213-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-212-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-148-0x0000000009270000-0x0000000009365000-memory.dmp

Filesize
980KB

Download
memory/1292-151-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-152-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-153-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-154-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-155-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-156-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-158-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-159-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-160-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-161-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-162-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-163-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-164-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-165-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-166-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-167-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-168-0x0000000009270000-0x0000000009365000-memory.dmp

Filesize
980KB

Download
memory/1292-175-0x0000000009270000-0x0000000009365000-memory.dmp

Filesize
980KB

Download
memory/1292-181-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-182-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-141-0x0000000007AC0000-0x0000000007B83000-memory.dmp

Filesize
780KB

Download
memory/1292-187-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-211-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-190-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-185-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-188-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-189-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-186-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-191-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-192-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-193-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-194-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-195-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-196-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-197-0x0000000007BA0000-0x0000000007BA2000-memory.dmp

Filesize
8KB

Download
memory/1292-204-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-205-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-206-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-207-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-208-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-209-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1292-210-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1584-142-0x0000000000790000-0x00000000007EA000-memory.dmp

Filesize
360KB

Download
memory/1584-149-0x00000000012B0000-0x000000000133F000-memory.dmp

Filesize
572KB

Download
memory/1584-147-0x0000000001470000-0x00000000017BA000-memory.dmp

Filesize
3.3MB

Download
memory/1584-146-0x0000000000B80000-0x0000000000BAD000-memory.dmp

Filesize
180KB

Download
memory/1584-145-0x0000000000B80000-0x0000000000BAD000-memory.dmp

Filesize
180KB

Download
memory/1584-144-0x0000000000790000-0x00000000007EA000-memory.dmp

Filesize
360KB

Download
memory/2960-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-139-0x0000000000FE0000-0x000000000132A000-memory.dmp

Filesize
3.3MB

Download
memory/2960-140-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download